Lessons learned from Mayo Clinic - risk management is the organization's immune system

By Sean Murphy posted 06-25-2016 08:20 AM




Lessons from the Mayo Clinic

Since starting Lootok, once a year I go to Rochester, Minnesota, my home State, to take my annual executive physical at the Mayo Clinic. It gives me a good reason to get back to Minnesota to visit family and friends, while maximizing my medical checkups. In just two days, more than fifteen doctors evaluate me. Risk management shares many similarities with the medical field, and it’s where you find the best analogies and metaphors. I wanted to share few of the insights I have gleaned over my time at Mayo.

Risk management is analogous to the immune system. It is not a thing or part. It is a system that co-exists within other systems that must properly function with a larger system called the organization | organism. You cannot just fix the immune system, buy it, or expect miraculous resiliency overnight. The immune system must be earned, strengthened and maintained every day. You need healthy habits, positive attitude and healthy living and work environments, proper planning and long-term vision and dedication, so forth. Risk management works the same way. Risk management also has the same challenges as our immune system: we don’t think much about it until something goes wrong. 

The goal of risk management and the immune system isn't to stop all bad things from happening. Just the opposite. It's about learning from bad things. The body is an open system. It’s not designed to stop all the germs and viruses from entering our bodies. It actually uses these “incident” to become stronger. A resilient organization needs to follow the same process. Incidents and crises make us stronger. It is our response and adaptation (change) that defines if we get stronger or weaker.

The immune system metaphor was introduced to us by The Dude. Who is The Dude? Remember the movie The Big Lebowski (1998)? We had training from a real Dude on storytelling. From the beginning, Lootok has always believed storytelling was the key for creating change. We hired James Bonnet, author of Stealing Fire from the Gods: A Dynamic New Story Model for Writers and Filmmakers. We booked him for two-days. The man actual walked, talked, and behaved like The Dude from The Big Lebowski. He was an elderly man, with good intentions, and occasional lost of thought guy. He did give us one thing that I am eternally grateful. He gave us the immune system metaphor.

One of my first Mayo Clinic visits where I quizzed my case doctor (a tall, lanky Dutch man who also loved wine and cheese – which bonded us immediately) about what all the numbers on my patient chart meant. This chart seemed to resemble an organizational risk dashboard you see in risk management. Like humans, organizations are living things. I was fascinated about what distinguishes a healthy human or organization from a sick one. What is the definition and criteria for measuring success versus failure? How do we define the costs and benefits of our decisions? When should we intervene or let the system fix itself? 

I remember complaining to him how society views a businessperson that works 60 to 70 hours a week a work alcoholic, even greedy. [we were discussing work-life balance] But an artist can work even more hours and is celebrated for their passion. Heck, artist can get away inappropriate and unprofessional behavior, while someone like me (business person) would be fired and/or end up in a lawsuit. Just doesn’t seem fair to me. So I ask him what he saw as the difference. He said, “You can afford to fly to Mayo clinic for a two-day executive physical.” Point taken.

Below are some of the lessons I learned from my time at the Mayo Clinic.

Lesson 1: Learn to Read the Charts

Financial statements are like fine perfume; to be sniffed but not swallowed. Abraham Briloff

When you begin any type of analysis or assessment, whether it is for a person or an organization, start with the charts. We need to define what we are measuring and understand why. Like doctors and their charts, we need to do the same. Doctors have a standard set of charts, such as blood cell count, cholesterol, blood pressure, temperature, blood sugar, etc. They also have diagnostic charts based on specific findings or concerns such as celiac, x-rays, or cancer test.

What are the variables, thresholds, and boundaries? What should the picture look like? What are the cues that help us make sense of the situation? Is it within acceptable boundaries or do we need to that corrective action? We need to define and map out all of the factors that come into play in our decision-making, something that is widely ignored in the risk management industry. Charts can help us recognize and interpret patterns and grasp the larger story. Charts help us make decisions by allowing us to compare and contrast, and trend and track information. They can indicate progress or loss and help us to define success and failure. Every piece of data acts as a pixel and helps us build a larger, more accurate picture.

The organization marches to the leadership’s vision, strategies, and goals. So what does the leadership team care about? They care about two things: (1) RESULTS and (2) EFFECTS. The leadership uses various levers to control and manipulate the system to accomplish specific end states. This is why leadership spends time reviewing and monitoring reports (Results) and implementing processes/policies (Effects). Management tries | pilots various projects to see the effects to determine necessary changes | how projects affect the results. We should be asking ourselves what reports is management reviewing and monitoring and why. There are regular meetings where leadership participates remotely or in person to present results and determine what to do (effects). Our first step is to identify reports, measures, and reasons | value of measures. Second step is to understand where this information is coming from. How is it entered? What systems? Who enters the data? A third step is to tie into the reports and systems for risk management purposes. Ultimately, charts and the information in them help us determine what decisions we should make and explain why.

The charts tell a story. They show causality, acceptable boundaries, and a range instead of single points. They help us define what we should do, what remedies to apply or changes that needs to occur. Risk management works the same way. In order for it to work, you need good dashboards and a clear, concise understanding of the variables being presented. Draw your charts before initiative any assessment or report.

Remember they are only reports, sniff do not swallow. 

Lesson 2: Be Realistic

Price is what you pay. Value is what you get. Warren Buffet

One year, my cholesterol was a bit high. Being married to a beautiful Italian woman who loves to cook means cheese is a part of most dinners. Plus, being an American, moderation is relative term defined by current emotion. My Dutch doctor asked me, “How do you spell cheese?” At first, I thought this was some kind of cognitive test. Or maybe he was trying to determine if I was mentally sound. So with a confused look on my face I slowly spelled, “C-H-E-E-S-E.” I think I hesitated to make sure I was spelling it correctly. He replied, “No. Cheese is spelled F-A-T. “

Then he told me about his three basic rules of longevity: eat right, exercise regularly, and be happy. The side effects of this plan include good sleep, better relationships, and an enjoyable life. Life is short. The concept is simple in theory, but difficult in practice. Nevertheless, it’s a great and simple approach to living a long and satisfying life.

We can apply the same philosophy to risk management. Take risks in moderation; in other words, don’t take risks that could cripple your organization. Implement healthy risk habits that become company standards. Conduct regular training to make sure everyone is knowledgeable and proficient. Administer regular check-ups and evaluations. Understand your risk environment. Ensure you have transparency and visibility. Learn to know if something is wrong. And don’t forget to be happy and have fun.

I often say to executives, “If you could only do one thing for risk management, what would it be?” My simple answer to that question is to make everyone take a yoga class every day. We tend to only look at risk in isolation and view as “out there”. We’ll spend a lot of money implementing new security for our servers, but do nothing for the people overseeing the servers. Most of the risks your company faces are the risks to your people: chronic stress, heart disease, poor exercise habits, poor decisions, etc. Yoga (or a similar activity) helps people reduce these risks, and thus reduces your overall organization risk. It also helps with mental state, which is widely ignored in risk management. People are always the ones managing and responding to threats.

My Dutch doctor passed on another bit of wisdom regarding longevity: the rule of 70%. Approximately 70% of all the health benefits one gets from exercise can be accomplished with one set of exercise … meaning if you did one set of twelve reps of squats, bench press, pull-downs, etc. you would get 70% of the value. That piece of information was a revelation that helped me to quantify health. Be realistic and practical about it. You don’t need to be at 100% in anything. Actually, just working out really hard for 25 to 30 minutes a day is a massive benefit. Unless you are a professional athlete, all you need is regular, moderate exercise and regular check-ups. When you get sick, you need time to get well and become stronger. Aim for the 70% mark and you will be in good shape.

Lesson 3: Create Healthy Habits

The chains of habit are generally too small to be felt until they are too strong to be broken. Samuel Johnson

Everyone has a day job that is directly tied to the bottom line and has immediate consequences. We all have after work life with family and friends. Being healthy doesn’t have to be a full time job. It’s about integrating health into your life. Simple changes in habit can have huge rewards such as taking the stairs, snacking on veges, and better communication. We should approach risk management the same way, by being practical and realistic.

Consider that there are only 168 hours in a week. If you break your week into blocks of time, such as work, rest, time with family and friends, and outside interests, it would probably look something like this:

  • Work: 50 hours (30%)
  • Sleep, Travel, Getting Ready: 90 hours (54%)
  • Time with family and friends: 18 hours (11%)
  • Outside interests: 10 hours (5%)
  • Total: 168 hours

When we need to work longer hours, we usually take time away from family and friends. In the workplace, if we need more time or resources to devote to a specific project, we usually take it from areas that are not time sensitive or immediate such as risk management, especially when we are not in a crisis.

What is the appropriate allocation of time, resources, and money to risk management? It depends. There is no simple answer to this question because there are simply too many variables and too many individual characteristics to consider. Each organization is a unique organism and what works for one organization might not work for another. The amount an organization spends on risk management depends on a number of variables such as the organization’s definition of risk management, the maturity of program within the organization, annual revenue, Value-at-Risk (VaR), the number of sites, the complexity of the marketplace, the sophistication of the organization’s products and services, their business model, co-dependencies, and other factors. The key is to define the top three to five variables for your organization.

It is very hard for organizations to spend definite and immediate time and money for a delayed or probable benefit. Humans tend to respond to immediate and urgent situations, those within close proximity, much better than those that are not close in time or space (i.e., proximity). This explains why many of us don’t save enough for retirement and don’t quit bad habits until we get sick. It explains why we don’t do anything until there is trouble. It is extremely important to take care of risk now and create the daily habits. 

Lesson 4: It Takes a Council

If you think it’s expensive to hire a professional to do the job, wait until you hire an amateur. Red Adair

In my two days at the Mayo Clinic, I see more than fifteen different doctors. No single doctor could possibly assess all the possible diseases and medical issues out there. But in risk management, we ask a single person, a risk manager, to handle everything. It is not practical.

This practice needs to end. We call this idea the “death of the master builder.” I first read about it in the book Checklist Manifesto by Atul Gawande. He wrote that a single person, a master builder, once constructed buildings. And the Master Builder built our buildings. One person in charge of everything. A Master Builder built the White House. St. Patrick’s Cathedral, and so on. When the knowledge and specialization required (i.e., complexity) to build became too great for one person, the Master Builder era ended. It occurred in the early 1900s. The same thing happened to the medical, legal, and accounting fields. There is something like 18,000 disease recognized. No longer do you go to one doctor. Instead, you have a primary doctor and then a doctor for every specialty.

In today’s world, having one person oversee the entire construction of a building would be impossible; there is simply too much information for one person to handle. The industry still believes that there can be a Risk Management Master Builder; someone who can do it all. The complexities of today’s world, networked world we live, lack of risk visibility, organizational pressure to be lean/efficient we have turned us into jugglers rather than Master Builders.

Similarly, we need a network of risk management specialists, not one person, to handle the various aspects of risk management. Crisis communication is vastly different than IT recovery and insurance, which is vastly different than emergency management. One person at a company cannot possibly manage all this effectively. 

Lesson 5: Learn to ask why one too many times

Faster is slowerPeter Senge

You cannot ask why often enough and you can’t inquire often enough. At the end of the day, you need to be your best proponent and investigator. I love the “5 whys” philosophy developed by Sakichi Toyoda, which was pioneered at Toyota. It is also a philosophy my three-year-old son innately understands and skillfully executes daily. The 5 whys can be used to explore the cause-and-effect relationships underlying a particular problem. The main goal of this technique is to determine the root cause of a problem. Once you get to the root cause of something, you can better scope the issue and create a solution.

Below are a few BCM examples where I go beyond the 5th why:

  • Why 1: We need to do a BIA. Why? 
  • Why 2: Because we need to understand the impact of a disruption to the organization. Why?
  • Why 3: Because we need to understand the cost of potential downtime and areas most sensitive or disruptive to the organization. Why?
  • Why 4: Because we need to understand cost downtime vs. the investment cost of uptime to decide what recovery and resiliency strategies to implement. Why? 
  • Why 5: Because we need to ensure we have the appropriate level of recovery and resiliency capabilities so a crisis event won't cripple us. Why?
  • Why 6: Because in today's world, our market, with limited resources and market stability, a loss of inventory or a greater than five day disruption could threaten the survivability of the organization. Why?
  • Why 7: The majority of our services and products have low switching cost and low brand loyalty. We are in the middle to transforming our organization to meet the needs of the future and reduce revenue from commodity-driven (price-driven) sales. Why? … just keep going until you are satisfied.

Simply asking why you want to create a BIA can lead to the root cause of the problem. Many times, we just assume companies need to do a BIA because it is part of the normal assessment process, but often do not dive deep into understanding why the organization needs a BIA. By asking why repeatedly, we can clearly and concretely define the purpose and desired outcome of the BIA.

This allows us to tailor the BIA to the specific problems and decisions leadership needs solved and answered. In the series of questions above, the organization is looking to define a point-of-no-return boundary as it pertains to revenue and cash (i.e., liquidity concerns); therefore, what the organization really wants is to put in place solutions to prevent them from crossing that boundary in the most cost effective and efficient manner possible.  

The 5 whys can be applied at a more granular level. It can be used, for example, to dive deeper into parts of the BIA: 

  • Why 1: We need to define our critical path process. Why?
  • Why 2: Because we need to understand the recovery priority and sequence of business process by department. Why?
  • Why 3: Because we need to understand the process recovery order and time sensitivity by department to identify the recovery requirements of their supporting resources. Why?
  • Why 4: Because we need to synchronize the recovery of people, processes, and technology. Why? 
  • Why 5: Because we need to understand where we should spend our limited resources and investments. Why?
  • Why 6: Because we need to understand the general game plan to put the pieces back together and have an agreed upon reasons why we are doing it the way we are doing it. Why?
  • Why 6: Because we want to recover as fast as possible with limited impact to our customers. Why? 
  • Why 7: Because downtime is not acceptable in today's world.

Or suppose your organization wants to buy BCM software:

  • Why 1: We need a BCM software or tool. Why?
  • Why 2: Because we need a place to store all of our data and plans. Why?
  • Why 3: Because we need to update, maintain, and report on collected information. We need a place to store the information. Why?
  • Why 4: Because it is difficult to use Microsoft Word and Excel to manage the data collection and analysis process. If we can get the data and information into a database, we can do proper analysis and reporting. Why? 
  • Why 5: Because it seems like every three years we have to repeat everything and we are wasting too much money and time with the current process. Why? 
  • Why 6: Because we have a very small BCM department that needs to operate in a decentralized manner. We need to get people to update the information and plans locally. Currently it feels like herding cats. Why?
  • Why 7: Because the only way we can keep up with requirements and audits is if everyone does their job. We need a simple and easy to use tool that anyone in the organization can use. Why? 
  • Why 8: Because we spend all of our time getting the data and very little on analysis, strategy, and vision. We spend 90% of our time on data collection and plan building and 10% on strategies, threat intelligence, and vision. It needs to be the other way around. The tool needs to act as our staff; that is, we need to automate as much as possible.  

You can see from this example that the owner needs a tool that allows for someone with minimal expertise and computer skills that can execute and maintain information.

Mayo Clinic Considerations

“It is common sense to take a method and try it. If it fails, admit it frankly and try another. But above all, try something.” Franklin Delano Roosevelt

My philosophy can be boiled down to one statement – life is short, so spend your time wisely and focus on what is important. Below are the things I learned from the Mayo Clinic, and I urge you to use them to assess your own organization’s need for change.

  1. Build and read the charts: Define variables for success and failure, health and disease, resilience and fragility. Assess your charts. How do you make diagnostic decisions or solve problems?
  2. Be realistic and practical: Review your plans for the past ten years. What has worked and what hasn’t? Find out why. How much did you deviate from your goals? Break down the time, resources, and funds needed by role. Consider your other obligations. What is practical and realistic to devote to risk management?
  3. Create healthy habits: What is the organization doing that is consistent and regular? What incidents have occurred in the past? How have you learned from them and what have you changed?
  4. It takes a council: Are you a lone ranger or do you have a council of trusted advisors or a steering committee? How well do the experts and knowledge owners work together?
  5. Ask why: Always ask why in everything you are doing and be sure to record your answers.

Enjoy - Sean